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1 . I am of majority age and otherwise competent to testify as to the matters herein, 
based on my personal knowledge and information provided to me in the course of my 
employment 

2. I am the Deputy Associate Deputy Assifi^tSe(OTtary<peputyADAS) forfhe 
Office of Cyber and Information Security (OCIS) in the Office of Information Technology. I 
have held this position since May <*f 2005, I have over ten (1 0) ysm% of experience in the areas 
of security and security awareness training. 

3. As the Deputy Associate Deputy Assistant Secretary, I am the agency official in 
charge of VA's Office of Cyber and Information Security (OGS), which provides cyber security 
guidance and oversight to VA organizations, as well as policy, procedure, reporting, and 
oversight support for all VA cyber security, 

4. In order to ensure that all VA personnel who access VA data are aware of and 
adhere to all applicable authorities regarding the protection of VA computer systems and data, 
OCIS developed the Cyber Security Awareness Course ("Security Course"), This training is 
specifically required by the Computer Security Act of 1987, Pub. L, 100-235 (HJL 145), which 
mandates that all federal agencies provide annual training in computer security awareness. 
Furthermore, the Federal Information Security Management Act (FISMA), 44 USC 3544(b)(4), 
requires agencies to provide periodic training hi computer security awareness and accepted 
computer practices for all appropriate personnel. 

5. The Security Course is required annually of VA employees, contractors, 
volunteers, interns, and others who utilize VA computers, networics, and electronic information 
systems to perform their job duties* Along with pamphlets, posters, and other material prepared 
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and distributed by OQS to promote the awareness of computer security, the course provides 
awareness of key security practices and procedures to ensure the confidentiality, Integrity! and 
appropriate availability of private data, the timely and uninterrupted flow of information 
throughout the department, and the protection of VA information systems from the potential of 
fraud, waste and abuse. 

6. The Security Course instructs users cm how to create passwords in a manner that 
maintains their security effectiveness; recognize confiieritial information and handle it in a 
manner consistent With VA Policy; comply with cyber security requirements that protect an 
individual's privacy; practice individual actions that ensure sensitive data are backed up; 
recognize dangerous activities when using e-mail; report suspected cyber security incidents to the 
ISO; recognize that YA's information is an important part of the nation's critical infrastructure; 
know when an attempt is made to extract information without authorization; identify instances 
where the use of VA's information resources is not authorized under the concept of "limited 
Personal Use"; and determine when computer gear needs io he thoroughly "scrubbed." 

7. The course informs users of laws designed to protect the individuals whose data 
the users works with on a day-to-day basis. In addition, it instructs users to adhere to and verify 
established procedures and cautions them of intentional or unintentional misuse or inappropriate 
use of VA data or resources, for which eleven (1 1) examples are provided. 

8. To ensure that all VA personnel with accesslQ VA data complete the training, the 
Security Course is available in several formats. The online training is available both through the 
intranet, for V A employees, and the internet, for those without access to the VA intranet It is 
organized into eleven (1 1) lessons and several short quizzes that must be taken in sequential 
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order: I. Know Your ISO, 2. Passwords, 3, Confidentiality, 4. Privacy, 5. Backups, 6, Email, 7* 
Viruses, 8. Incident, 9. Infrastructure Protection, 10, Social Engineering, and 1 1. Authorized Use. 

9. The course instructs users to sign in and enroll online for the program, review and 
complete all course lessons, and complete the course evaluation. Users must then print the 
certificate of completion at the aid of the course and subuiit It to their supervisor, facility 
education office, or information security officer, 

10. In addition to the online training, a video version of the training is available by 
satellite broadcast, and a text version of the training may be printed and distributed to the veiy 
few users unable to complete the other versicm& Both versions contain the same basic 
information as the online course. Users of tlsese versions must certify to their supervisor, facility 
education office, Or information security officer that they have completed the mandated security 
awareness training. 

1 1 . Some VA facilities have developed facility-specific cyber security awareness 
training, which fulfills the sebriity awareness training requirement as long as: the length of the 
course is a minimum of one contact hour, the cottier* is provided in an interesting and 
informative manner, the training includes all relevant content presented in the Cyber Security 
Awareness Course developed by OCIS; and completion of the training is tracked electronically 
for reporting compliance. 

12. The VA Employee Education System (EES) administers the Cyber Security 
Awareness Course developed by OCIS. To track the completion of tibe training by all 
appropriate personnel and ensure that the security awareness training requirement is fulfilled 
department-wide, EES uses an online portal that shows for each user the status of completed and 
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incomplete courses, 

13. Attached as exhibit A are true and correct copies of screen printouts from the 
Cyber Security Awareness Course described in paragraphs 3-7 above. 

14. The certificate of security awareness Shafting is effective for one fiscal year* since 
the course must be completed every year. Completion of the training is tracked for each user 
through an online portal maintained by the VA Employee Education System (EES). 

15. The certificate of John Doe (the VAeffl^yee whose home was burglarized and 
whose personal laptop computer and external hard drive containing VA data were stolen), as 
provided to me by EES, indicates that he fulfilled the requirement for security awareness training 
by successfully completing the online version for the Cyber Security Awareness Course for fiscal 
year 2006 on March 3 1 , 2006, 

1 6. Attached as exhibit B is a true and correct redacted copy of John Doe's certificate, 
as provided to me by EES, indicating his completion of the online version of the Cyber Security 
Awareness Course for 2006* 

17. An additional certificate of John Doe, as provided to me by EES, indicates that 
John Doe fulfilled this requirement for previous years by completing the online version of the 
Security Awareness Course for 2005 on- June 8, 2005. 

IS. Attached as exhibit C is a true and correct redacted copy of John Doe's 
certificates, as provided to me by EES, indicating his completion of the online version of the 
Cyber Security Awareness Course for 2005 . 

I declare under the penalty of perjury that the foregoing is true and correct 
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DATED CAROL WILLIAMS 
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Cyber Security Awareness FY-06 (Intranet) 

Welcome and Introduction Page 1 of 1 
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Training Cpurse. The Federal Information Security Management Act (FISMA) 44 USC 
3544(b)(4) mandates that each federal agency provide periodic training in computer 
security awareness and accepted computer practices for all employees, contractors, and 
volunteers. This training meets those requirements. The course is designed to take 
approximately 1 hour. 

This course will help you to understand the responsibilities you have to protect VA's 
information assets, especially information about our veterans and it shows you ways to 
meet these responsibilities. 

Successful completion of this course will fulfill your requirement for annual information 
security awareness training established under public law, VA policy, and other requirements. 

PRIVACY STATEMENT - Read before you continue with the course 

This course is mandatory for all VA employees, contractors and volunteers and any persons 
that utilize VA computers, networks, and electronic information systems. This training is 
posted and refreshed annually. All new employees, contractors and volunteers are required 
to take this training within 30 days of joining VA. 

A team of subject matter experts from the VA Office of Cyber and Information Security 
(OCIS) and VA Employee Education System (EES) created and developed this training. 

Basic Course Information: 

Your registration information will be safeguarded in the same manner as all other EES 
courses and in compliance with VA Privacy requirements. See vaww.va .gov/privacy for 
additional information. 

You may leave the course at any time. Your progress through the course will be saved and 
you will be provided a link to the location you left when you re-enter the course. 

You do not have to register again. You may read information about this course the brochure 
by clicking on the link on the main menu bar or the next button at the top and bottom of 
the screen. 

Common Questions and Answers before you start: 

The best way to view this training is with Internet Explorer 4.0 or higher, a monitor 
resolution of 800x600 and displayed at 256 colors. If you have additional hardware or 
software technical questions, piease ask your local Information Systems Support Staff or 
Education Contact to assist you. If needed, one of them will contact the local system 
administrator. 

For navigation details about the course, click on the help button. 
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If you have questions on how to use your Internet Browser, difficulty accessing the network 
or difficulty printing pages from the browser contact your local Information System Support 
Staff. 

If you are ready to begin the course just click on Next located at either the top or bottom of 
this page 



Page 2 of 40 



Case 1 :06-cv-01944-JR Document 3-21 Filed 1 1/20/2006 Page 9 of 48 
Course Brochure Page 1 of 1 

Department of Veterans Affairs 

Employee Education System 

and 

Office of Cyber and Information Security 

presents 
VA Cyber Security Awareness 

Course ID: 06.MN.SH.OCISW.A 
VA National Catalog Number: ITECH-EES-F249 

Place: An I ndependent Study on the EES On Learning Web Site. 

Purpose: 

This program addresses key security practices and procedures and incorporates the Office of 
Cyber and Information Security top initiatives that all VA staff, contractors and volunteers 
need to be aware of to protect VA's information assets. The Federal Information Security 
Management Act (FISMA) 44 USC 3544(b)(4) mandates that each federal agency provide 
annual training in computer security awareness. The completion of this course satisfies that 
requirement. 

Outcome Objectives: 

Upon completion of this program participants will be able to: 

1. identify the ISO and situations in which it is important to make contact; 

2. create passwords in a manner that maintain their security effectiveness; 

3. recognize confidential information and handle in a manner consistent with VA Policy; 

4. comply with cyber security requirements that protect an individual's privacy; 

5. practice individual actions that ensure sensitive data are backed up; 

6. recognize dangerous activities when using e-mail; 

7. report suspected cyber security incidents to the ISO; 

8. recognize that VA's information is an important part of the nation's critical infrastructure; 

9. know when an attempt is made to extract information without authorization; 
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10. identify instances where the use of VA's information resources is not authorized under 
the concept of "Limited Personal Use;" and 

11. determine when computer gear needs to be thoroughly "scrubbed." 

Target Audience: This course is for all VA staff, contractors and volunteers who use a 
computer to perform their job duties. 

Accreditation/ Approval: None 



Continuing Education Credit 

Employee Education System 

The VA Employee Education System designates this educational activity for 0.5 contact 
hour. 

In order to receive a certificate from Employee Education System (EES) you must sign in 
and enroll on line for this program, review and complete all on-line course modules, 
complete the post test, complete the evaluation and print your own certificate at the 
conclusions of the program (certificates will not be mailed). EES cannot issue certificates for 
less than 100% participation as required by accrediting body regulations. 

Report of Training: It is the program participant's responsibility to ensure that this 
training is documented in the appropriate location according to his/her locally prescribed 
process. 

This Independent Study Includes: Web based training materials and Program Evaluation 

Independent Study Implementation Procedure: The web based training material and 
evaluation can be completed using the VA Intranet. The address is 
https://vaww.ees.aac.va.gov 

NOTE: If you experience difficulty reaching this web site, please contact the Help Desk via 
e-mail at eeslibrixhelp@lrn.va.gov. You may also contact your local computer support staff 
for assistance. 

NOTE: I n order to complete the program, your computer must have I nternet Explorer 4.0 or 
Netscape 4.0 or higher. 

After you take the test, you will receive immediate feedback as to pass or fail. Upon 
completing the course and the evaluation, you will be able to immediately print your 
certificate according to instructions. 



Program Content Outline 
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Introduction Practice Exam 2 

Know Your ISO Viruses 

Passwords Incident 

Confidentiality Infrastructure Protection 

Practice Exam 1 Practice Exam 3 

Privacy Social Engineering 

Backups Authorized Use 

Email Practice Exam 4 



Faculty and Planning Committee 

Terri Cinnamon Raymond Spry, MBA & MSOD 

Team Leader, TEAP New Media Producer 

The Office of Cyber and Information Employee Education System, Salt Lake 

Security City 

Martinsburg, WVA Salt Lake City, UT 

Greg Dutkowski Lisa Holland 

Computer Specialist Computer Specialist 

Office of Cyber and Information Security Office of Cyber and Information Security 

Salt Lake City, UT Washington, DC 

Susan Hotzler, MA 

Project Manager 

Employee Education System, Minneapolis 

Minneapolis, MN 



Project Manager 

Susan Hotzler, MA 

Program Manager 

Minneapolis Employee Education Resource Center 

Minneapolis, MN 

Program Support Assistant 

Margaret Gephardt 

Program Support Assistant 

Minneapolis Employee Education Resource Center 

Minneapolis, MN 

Media Support 

Raymond Spry, MBA & MSOD 

Senior Instructional Systems Manager 

Salt Lake City Employee Education Resource Center 

Salt Lake City, UT 
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Section 508 of the Rehabilitation Act 

The Employee Education System wishes to ensure no individual with a disability is excluded, 
denied services, segregated or otherwise treated differently from other individuals attending 
this workshop because of the absence of auxiliary aids and services. If you require any 
special arrangements to attend and fully participate in this educational activity, please 
contact Susan Hotzler, Project Manager, EES, Minneapolis Employee Education Resource 
Center, phone 612-725-2000, 4549 or by e-mail Susan.Hotzler@lrn.va.gov 

Disclosures 

The Employee Education System (EES) must insure balance, independence, objectivity, and 
scientific rigor to all EES sponsored educational activities. The intent of this disclosure is not 
to prevent faculty, author, planning committee member or presenter (discloser) with a 
significant financial or other relationship from presenting materials, but rather to provide 
the participant with information on which they can make their own judgments. It remains 
for the participant to determine whether the discloser's interests or relationships influence 
the materials presented with regard to exposition or conclusion. When an unapproved use of 
a FDA approved drug or medical device, or an investigational product not yet FDA approved 
for any purpose is mentioned, EES requires disclosure to the participants. 

Each faculty and planning committee member (author, facilitator, and moderator) reported 
having no financial relationships or interests with any commercial topics that are discussed in 
this activity. This activity includes no discussion of uses of FDA regulated drugs or medical 
devices which are experimental or off-label. 
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Welcome and I ntroduction 
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"Cyber Security Awareness" is the knowledge that VA 
employees, contractors, and volunteers utilize to protect 
VA computer systems and data. It is more than policies, 
procedures, rules, and regulations. Cyber Security 
Awareness refers to the personal responsibility each of us 
assumes for ensuring: 

• the confidentiality, integrity, and 
appropriate availability of veterans' private 
data, 

• timely and uninterrupted flow of information 
throughout the VA enterprise, and 

• VA information systems are protected from 
the potential of fraud, waste and abuse. 



Please be aware of any activity that might violate and/or compromise the security of VA 
information systems. Report all incidents to your information security officer. 




This VA Cyber Security Awareness course is 
provided for all VA employees, contractors, 
volunteers, and anyone who may have access to 
any VA information system including the 
personal veteran information and corporate data 
stored in such systems. Successful completion 
of this course will fulfill your requirement for 
annual information security awareness training 
established under public law, VA policy, and 
other requirements. Remember that, while the 
information you review in this course is specific 
to the Department of Veterans Affairs, many of 
the principles which are discussed are also 
relevant to you, as an individual computer user. 



The inclusion of risk concepts and related practices in the VA Cyber Security Awareness 
Training Course permits the unification of high level legislation and policy issues with 
system level controls, measures and metrics. As such, the addition of risk elements can be 
used to augment the current course elements and also provides an opportunity to introduce 
a policy-driven framework and format. 
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How This Course Works 
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The course contains 11 lessons. You'll also find several short quizzes interspersed between 
the lessons. You must review each lesson and take each quiz. Don't worry, the program 

only tracks that you complete the course, not your scores on the 
quizzes. You do not have to achieve a certain score to successfully 
complete the course. 

When you are finished, you will be asked to complete a course 
evaluation. Then, you'll receive a certificate of completion. You 
should print and keep the certificate to show you have successfully 
completed this required training. 




This course is best viewed with Internet Explorer. 

If you need to leave the course, you may always come back and start where you left off. 
When you log back in, you will be offered a menu with links to select where you left off, or 
start at the beginning of the course, or exit the system. 

If you lose your certificate, you can always come back to the course and select the "end-of- 
course" link. From there, you can print out another certificate. 

Please read the "Course Brochure" page before you begin. If you need assistance at any 
time, please click on the Help button located on the program menu. 



Page 8 of 40 



Case 1:06-cv-01944-JR Document 3-21 Filed 11/20/2006 Page 15 of 48 



Know Your I SO 



Page 1 of 1 



Do you know all the rules and requirements you should follow to keep VA's 

information secure? 

Do you know what to do if your computer is infected with an electronic virus? 

If you witnessed someone using VA's computers for theft or fraud, what would you 

do? 

Do you know your responsibilities for maintaining confidentiality and privacy? 

Are you sure that your work is backed up and safe? 

• Do you know your role in your facility's contingency 
plan? 




website for the ISO Directory. 
Risk Awareness 



There is someone available to help you - your facility 
Information Security Officer (ISO). Every VA facility has an 
assigned ISO who can help answer these questions and 
more. 

It is important to know that we are all responsible for 
information security. Your ISO is a great resource for 
learning about those responsibilities and how to react if you 
become aware of a problem. 

If you do not know your ISO, ask your supervisor or you 
can visit the Office of Cyber and Information Security 



In order to effectively manage risk it is essential to know how to identify when risk is 
increased beyond what is reasonably expected of the situation you find yourself in. To 
establish this, it is helpful to know which processes are necessary to carry out each task and 
which job functions are responsible for the process being carried out. It is important that 
you know where to look for procedures, processes and guidelines for operational risk, 
information risk and security controls relating to your job function. When you are familiar 
with this information you will be able to respond quickly and effectively when you are 
suspicious about someone's actions, even if the other person is your supervisor. 
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Passwords Page 1 of 3 

Passwords are important tools for protecting VA information systems and getting your job 
done. They ensure you have access to the information you need. Keep your password secret 
to protect yourself and your work. If you have several passwords, it is permissible to record 
and store them in a safe place, to which only you have access. 

Password Requirements 

Passwords must: 

• Be constructed of at least eight characters (i.e., Gabcl23&). 

• Use at least three of the following four kinds of characters: 
o Upper case letters (ABC.) 
o Lower-case letters (...xyz) 
o Numbers (0123456789) 
o "Special characters," such as #, &, *, or @. 

• Be changed at least every 90 days. 




Using these rules will provide you with a "strong" password. VA requires strong passwords 
on all information systems. 

Password Theft 

Passwords can be easily stolen or duplicated if constructed poorly. Most password thefts 
occur as a result of poorly constructed passwords or social engineering. We'll discuss social 
engineering later in this course. 

Poor Password Construction 

Many factors can contribute to poor passwords. Some of the most notable are: 

• Passwords that are not "strong," as explained above. 

• Use of common words easily obtained from a dictionary. 

• Passwords referring to your personal life (for example, names of family 
members or pets). 

Easily identifiable passwords are an open invitation to hackers. 
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Rules of Thumb for Passwords 
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• Don't use words found in a dictionary. 

• Follow the rules for strong passwords. 

• Don't use personal references (names, 
birthdays, addresses, etc.) 

• Change your passwords at least every 90 
days. If you suspect that someone is trying 

or may have obtained your password, change it immediately, and inform your 
information security officer. 

• Be sure nobody can watch over your shoulder while your type your password. Ask 
them to turn away while you type. Position your keyboard so that it is not easy to 
see what you type. 

• If you have a number of passwords to remember, you may want to write them down. 
You must securely lock them away where they cannot be accessed by others. 

• Help to ensure that passwords and accounts for employees, volunteers, contractors, 
and students are terminated within 24 hours of their departure. 

Remembering Passwords 

Since childhood, many people have used simple rhythms to remember things. Can you 
remember how you learned the alphabet, months of the year, state capitols, etc.? This 
technique is called "mnemonics." Below is an example of a mnemonic used to remember the 
planets of our solar system: their order is the rhythm: 

"Mary Very Easily Makes J am Saturday Unless No Plums" 

Helps you to remember 

Mercury, Venus, Earth, Mars, J upiter, Saturn, Uranus, Neptune, Pluto 




It may sound silly, but it works. Your memory makes sensible links between information, 
fitting facts into mental structures and frameworks. Building a simple mnemonic may not 
work if it does not make sense, but it only needs to make sense to you. 

Mnemonics are a useful tool in constructing passwords that cannot be found in a dictionary. 
How about using this as a password for the mnemonic above: 

MVEMjS,unp 

For more information about passwords, ask your Information Security Officer (ISO). 
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Risk Awareness Page 3 of 3 

Using the correct username and password combination is the primary method in the VA of 
identifying and managing access to systems and computer programs. 

Username and password combinations provide a guarantee that you are who you say you 
are. Through security and access rules built into computer programs and systems, your 
username and password also protects you from being able to carry out actions which are 
beyond your level of authorization. 

Once the details of your username and password have been shared with others, you have 
lost control over how they may be used or abused. You are held solely accountable for your 
account access. No one other than yourself should know or have access to your 
password(s). 

Most information systems have several ways to control username and password 
combinations in terms of complexity, life, usage or repetition. All of these controls are of 
little use if a system user loses or gives this password away. 

It is worth noting that in most cases, usernames are very easy to get and tend to follow a 
pattern which relates directly to your own name. This is a necessary risk. Therefore, 
constructing strong passwords and maintaining their confidentiality is of great importance. 
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Confidentiality 



Page 1 of 3 



In VA, confidentiality is a must. Perhaps you have wondered what this means and what you 
need to do about it. Confidentiality is the condition in which VA's information is available to 
only those people who need it to do their jobs. 



Breaches in confidentiality can occur if you walk away from your computer 
without logging off or when paper documents are not adequately controlled. 
They sometimes occur when you are accidentally given access to too much 
computer information. Put another way, breaches can occur when someone 
has access to information that they do not need to do their jobs. 
Conversations about veteran's cases in public places such as elevators and 
hallways can be a breach of confidentiality. 



VA's computers are designed to protect confidentiality, but remember that 
there are things you can do, and things you should not do, to protect confidentiality. 
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Computer Disposal and Confidentiality 



Page 2 of 3 




Getting rid of old computer equipment? Be careful! We in 
VA often look for ways to assist the community; it's one 
of the best things about us. 

Not long ago, some VA computers containing patient 
data and other information were inadvertently released 
into the community. This created an unacceptable and 
very serious breach of confidentiality. Imagine seeing 
your own personal information on a used VA computer 
that was donated to a school! While it is usually the 
responsibility of Information Technology (IT) staff to 
ensure the complete erasure of data before disposal of 
equipment, there are things you can do to help. 



• When possible, store your data on network drives instead of your desktop 
computer. 

• If you notice computers being excessed without full data erasure, let your ISO 
know. 

• Know that the "delete" command cannot remove all traces of data from your 
computer. 

To address the problem of removing all data from computers prior to disposal, VA's Office of 
Cyber and Information Security has purchased a special software tool called On Track Data 
Eraser. This tool prepares computers for proper disposal by "overwriting" the data on a hard 
drive several times. This process obliterates and makes the data irretrievable in any form. 
Every VA facility has received this tool for the IT staff to use. Working together, we will 
ensure that this never happens again! 

Your ISO can help you find other ways to secure your data. For more information, contact 
your facility Information Security Officer (ISO). 
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Risk Awareness Page 3 of 3 

In isolation, keeping each process or piece of information confidential may not seem to be 
critically important. In reality, individuals inside and outside the VA who would attempt to 
breach confidentiality, may collect seemingly insignificant fragments of information which, 
like a jigsaw puzzle, can be put together later to reveal a complete picture- a picture of VA. 

Breaches of confidentiality may occur immediately or in some cases, over extended periods 
of time, by collection of data and process information over months and sometimes years 
before systems are compromised. 
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Practice Exam 1 Page 1 of 1 

Lesson 1 - Know your I SO 

If you think your workstation has been infected with a virus, you would contact: 

a. Your computer manufacturer 

b. Your Information Security Officer (ISO). 

c. Norton Virus Protection, Inc. 

d. Your Service Chief. 

e. None of the above. 

If you saw someone using a VA computer to commit fraud, you would call: 

a. Your friend down the hall. 

b. Nobody, because it is not your business. 

c. Your Service Chief. 

d. Your Information Security Officer (ISO). 

e. All of the above. 

Lesson 2 - Passwords 

Which of the following Rules of Thumb for passwords do not apply: 

a. Do not use words found in any dictionary. 

b. Do not use personal references (for example: names, birthdays, addresses). 

c. Have your friend keep a copy of your password in case you forget. 

d. Keep passwords secret. 

e. Follow the rules for creating good, strong passwords. 

Lesson 3 - Confidentiality 

Hitting the Delete key on your computer will erase the information from your computer 
completely. 

a. True 

b. False 

Hitting the Delete key on your computer will erase the information from your computer 
completely. 

a. True 

b. False 
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Privacy 
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As Americans, we have fundamental expectations for privacy. The 
right to privacy is even built into our Bill of Rights as a basic 
human dignity afforded citizens. 



in li- 




fe 






Privacy has a special legal meaning for government agencies. The 

Privacy Act requires that we as government employees take 

special care when we provide information to anyone about our 

veteran employees and other customers. Providing personal 

information to anyone, including veterans themselves, must be done only by persons 

authorized to do so. The same applies to requesting and receiving information about 

ourselves as employees and/or as veterans. Care must also be taken to assure that 

recipients of information are authorized to receive that information. As VA employees, we 

must follow legal procedures for disclosing and receiving information. These procedures 

ensure that information is distributed in a responsible manner and that VA accounts for the 

transaction. 



I nformation Privacy, Security, and the VA Mission 



Part of the VA mission is to ensure America's veterans receive 
medical care and benefits with dignity and compassion. To 
accomplish this, VA gathers all kinds of information from and 
about its beneficiaries. Much of it is related to health care, 
military service, finances, education, and other personal 
information. Lest we forget, something as simple as a veteran's 
home address and phone number is privileged information. The 
Privacy Act requires that we as government employees follow 
proper procedures when we provide information to anyone 
about veterans and others. If you handle health care 
information in your job at VA, you need to know about HI PAA. 
HIPAA grants rights to individuals and imposes obligations on 
organizations. For more information on Privacy and HIPAA you 
can go to the Privacy Awareness course or contact your local 
Privacy Officer. 
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Helpful Guidance for Handling Privacy Requests 



Page 2 of 2 



If another VA employee asks you for veteran information under your control, your response 
may depend on several things, including: 

• The purpose of the request 

• The authority of the individual making the request 

• The established procedures for managing the request. 

If the request does not follow the standard procedures that you are familiar with, do not 
hesitate to consult your supervisor for directions prior to accessing or disclosing any 
information. 

A Little Curiosity Can Be Harmful... 

...Don't let it hurt you, any veteran, or your coworkers. 

It is human nature to be curious. We all may have occasional urges to find out a little bit 
more about each other. When tempted to delve into personal information about veterans 
you come in contact with or employees you work with, the best advice is stop and consider 
your actions: 

• Do you have a need to know in order to do your job? 

• The person you are curious about has the right to be treated with respect, 
dignity, and have their privacy maintained. 

• Unauthorized access or use of veteran, employee, or enterprise information 
entrusted to VA is a serious offense. Disciplinary action can be brought 
against you as well as legal action that could result in civil and felony 
punishment. 

Through established policies and procedures, VA has developed measures to protect the 
privacy and confidentiality of veterans and employees. Policies and procedures are only as 
good as the individuals who implement and follow them. Your informed knowledge and 
professional experience is the best defense against unauthorized use and disclosure of 

information. 




Requests for information from the public, media (newspapers, or 
radio and television stations), and others must be handled in a 
manner that protects the privacy of veterans, their families, and 
confidential corporate information. Such requests must be referred 
to the appropriate official at your facility. 

If you have questions about privacy in VA and your responsibilities 
as an employee, contact your supervisor, Privacy Officer, or 
Information Security Officer (ISO). 
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Risk Awareness 

Privacy laws are designed primarily to protect the people whose data you work with on a 
day-to-day basis. The laws are there to ensure that veterans and their beneficiaries have 
recourse against intentional or unintentional misuse and abuse of protected data. Your 
protection within the VA is to adhere to the procedures and check when you are unsure of 
how to handle information. If you deviate from the established procedures, you and/or the 
VA could potentially become liable for any losses incurred in the event of legal action. 
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Backups 



Page 1 of 2 




The work you do on VA's computers is important. It is important 
to you because of the time and effort expended to create it. It is 
important to VA and to veterans because it supports our mission. 

Is your work "backed up" and safe from loss? In most VA facilities, 
systems managers have created ways to ensure your work is 
saved in several places (backed up) so it is not lost. You should 
make sure your work is backed up. Making a copy of files for the 
purpose of having them available in case of a computer failure is 
called "backing up" or "creating a backup." Backups are done to a second storage medium 
such as a diskette, zip disk, CD, tape or the preferred method to your network drive. You 

should be sure to lock away the information in a secure area if it 
contains sensitive data. 



Information systems managers take purposeful steps to ensure 
that VA data is safe by systematically and routinely creating 
database backups on systems such as VistA, BDN, and others. It 
may not be reasonable to expect IT staff to be responsible for 
backing up the information on the computers of every user in your 
facility, so you may need to assume this responsibility yourself. If 
you are at all unsure if your work is backed up, contact your ISO. 
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Backups Page 2 of 2 

Helpful suggestions to assist you in backing up your files: 

• The most important files to backup are the ones you create such as word processing, 
spreadsheet, and presentation files. At home, you will want to back up your financial 
files (Quicken, Money, TurboTax, etc.). 

• Software programs do not need to be backed up. They can usually be reinstalled 
from the original media. 

• Store the files you create in a single location on your computer such as the "My 
Documents" folder. Doing so will make it easier to quickly create your backup. If you 
store your files in many different locations, it will be more time consuming to locate 
them and may prevent you from routinely backing up all of your files. 

• Set a schedule for backups appropriate to your needs. Some people may need to 
create daily backups. For others, weekly or even monthly may be adequate. Don't 
risk any more data to inadequate backups than you are willing to lose or have to 
recreate. 

• After creating a backup, verify that you can access your storage medium and open 
the files on it. 

• Storage media wear out, especially magnetic media. It is like watching an old movie 
on film or videotape. The recorded signal gradually wears out resulting in a grainy or 
unstable picture. This happens over time. Rotate your storage disks and periodically 
replace them with new disks or new technology. 

• Clearly identify the files on your storage medium. Trying to find a specific file in a 
pile of unlabeled disks is time-consuming and risky. 

• Store your backups in a safe and secure place. 

The most reliable computers are apt to eventually fail as a result of 
age, heat, dust, or mechanical failure. 

Backups are cheap insurance. The question is not if you will ever 
need to use your backup. Instead, the question is when. 

Ask your supervisor or Information Security Officer (ISO). They 
can tell you if your work is safe and can help you create a way to 
routinely back it up. 

Risk Awareness 

Private and uncontrolled media from backups may present a security risk if left unprotected 
or in places where access to them is unrestricted. Great care is taken to manage and 
protect data while it is on the VA network but all this can be for nothing if the backup media 
is unprotected. Backups are not only useful in the event of complete loss, by naming files in 
numerical sequence, each stage of creation or modification of a document can be preserved 
in several iterations. Backup services are available on most networks for centrally stored 
and managed files. In most cases, locally stored files will not be backed up by network 
backup services. This is important if local files need to be protected as part of a separate 
local backup routine. 
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E-mail 
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In VA, e-mail has become a vital tool in conducting our business. Proper use of VA electronic 

mail is essential to ensure this resource is uninterrupted and used in legal ways. Chain 

letters and hoax messages rob us of valuable 

network capacity, computer space, and processing 

speed. You should not forward these messages to 

others. In fact, don't even request the sender stop 

sending you messages. J ust delete them. These 

"please stop" messages sent by the thousands slow 

down our e-mail systems! Sensitive information 

should not be sent using e-mail unless it can be 

done securely. Before you send sensitive 

information on e-mail, you must ensure that it can 

be done securely. Some computer viruses attack e- 

mail systems, making them unavailable. You 

should learn to recognize the signs of a virus 

infection. 
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E-mail Privacy and Security 




Do not think of e-mail as being similar to a personal letter 
delivered to you in a sealed envelope by the post office. 
Instead, e-mail is more like a postcard. Most often, it gets 
dependably delivered but there may be opportunities along 
the way for people other than the addressee to view the 
contents. 

E-mail is not considered private. You should have no 
expectation of privacy when using e-mail to transmit, store 
and communicate information. Private information about 
veterans and employees (any information that pertains to a 
veteran or employee that is coupled with information that 
can identify the veteran or employee) are not permitted to 
be transmitted by email unless it is encrypted. 



E-mail is not considered secure. E-mail systems, including VA's, are vulnerable to virus 
attacks. In fact, most computer viruses are spread through e-mail messages (See E-mail 
Etiquette). 



E-mail hints for work and home. 



Utilize virus-scanning software. Be sure it is kept 
up-to-date. Scan all e-mails and attachments 
sent to you. 

Always be cautious in opening e-mail from 
people you don't know. Make sure the subject 
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lines are appropriate before opening. If you are not sure whether the e-mail is 
legitimate, then contact the sender by phone. 

• Don't open attachments from people you don't know. 

• Utilize e-mail in an appropriate manner. Don't forward or create hoaxes or 
ask people to modify their computer systems. Don't spread rumors using e- 
mail. Be suspicious of any message that tells you to forward it to others. 

• Unsubscribe from mailing lists in which you are no longer interested. 

• Don't participate in "mail-storms" involving scores (or hundreds or even 
thousands) of users responding "me too!" or "thanks" or even "please stop." 

• Use "reply to all" sparingly. Does everyone in your large mail group really 
need to see your response? Often, it is more appropriate to limit your 
response to just the sender. 

Where do you go for information about the security or e-mail, questionable, improper, or 
illegal e-mail messages? You should consult your supervisor or local Information Security 
Officer (ISO) to ensure that VA e-mail is being used properly and securely or if you have 
questions about these issues. 



Page 23 of 40 



Case 1 :06-cv-01944-JR Document 3-21 Filed 1 1/20/2006 Page 30 of 48 



E-mail Etiquette Page 2 of 3 

Have you ever received an e-mail that was sent to a big distribution list that you didn't 
really need or want? Did you "Reply-to- AN" asking why you were sent the message or 
asking to be removed from the message thread? When you do that, two things happen. 
First, you monopolize lots of people's time opening and reading your message. Second, the 
VA network gets flooded with messages that don't really contribute to our work. This flood 
of messages actually reduces the performance of VA's network, especially when people 
"Reply- to- AN" to the responses. If you need to be taken off a thread, please contact the 
sender only. That way, our network can use its power to help us with our mission. For more 
information about E-mail etiquette, see 

http://vaww.vaco.va.gov/goodinfo/mailetiquette.htm, or contact your Information Security 
Officer. 
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Risk Awareness Page 3 of 3 

Replying to unsolicited spam email is more likely to increase the number of messages sent 
to your address. When a spammer receives a reply, they can then be sure that your email 
address is valid. This can be exploited in the same way when spam emails offer you the 
option to unsubscribe, since this validates your email address to the spammers who often 
increase the number of emails to that address. Email addresses can easily be faked, this is 
called spoofing. If the content of email is particularly private or important then increased 
security in the form of encryption (reduces the likelihood of the message contents being 
read) may be considered. Most cryptographic systems also validate the integrity of the 
message to prevent tampering during transmission. If in any doubt contact your ISO for 
advice or consider another, more appropriate transmission method. 
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Practice Exam 2 
Lesson 4 - Privacy 

If you handle healthcare information in your job at VA, you need to know about _ . 



a. e-mail etiquette 

b. HIPAA 

c. Federal Information Security Management Act 

d. viruses 

Lesson 5 - Backups 

Which of the following items is NOT recommended when backing up your files? 

a. Store files in a single location. 

b. Identify the work on the storage medium. 

c. Verify access to your storage medium. 

d. Backing up software programs such as Word on your storage medium. 

What is a backup? 

a. Keeping your supervisor and coworkers informed about where you keep important 
documents and files. 

b. Routinely copying your computer and email files to a second storage medium. 

c. Creating duplications of important files and documents for storage with the 
originals." 

d. I nforming your I SO every time your team creates an important document. 

Lesson 6 - Email 

What should you do if you receive a chain letter in an email? 

a. Follow the instructions in the email if it doesn't take too much of your time. 

b. Delete the email. 

c. Forward the email to your ISO. 

d. Reply to the email with a "please stop" message. 

What should you do if you receive an email attachment from someone you don't know? 

a. Do not open the attachment. 

b. Open the attachment if the subject line seems appropriate. 

c. Reply to the email and request more information. 

d. Open the attachment if your virus software doesn't alert you not to. 
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Viruses 



Page 1 of 2 




Do you know that computer viruses can be one of the 
biggest causes of business loss at VA? High-tech vandals 
have created ever-more dangerous infectious programs that, 
in the past, have overcome VA's defenses. When that 
happens the data we depend on to fulfill our mission is 
compromised. It takes time and money to defend against 
viruses. It requires employee time to recover from attacks. 
Viruses make our jobs more difficult and steal resources 
away from our primary mission of serving veterans. Take an 
active role in virus defense. Find out if the computer you are 
using is protected. When anti-virus programs are loading, let 
them run to completion. Be suspicious of e-mail messages 
from people you do not know as well as of unexpected 
messages from people you do know. Look for suspicious activity, like a constantly active 
hard drive. Make sure data files and programs you load on your computer are authorized 
and free from viruses. 

Improvements in technology have permitted VA to institute an enterprise-wide anti-virus 
defense program. Often, anti-virus software is automatically installed and updated. 
Nonetheless, new viruses are an everyday occurrence, and anti-virus software offers no 
protection from newly developed, unknown viruses. Viruses can be spread from inside as 
well as from outside VA. Learn how tell if the anti-virus programs on your work and home 
computers are running and current. 
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Public peer-to-peer File Sharing Page 2 of 4 

Public peer-to-peer file sharing (commonly known as "P2P") is prohibited in VA. P2P refers 
to programs that allow anonymous sharing of files between computers. While there can be 
legitimate uses for P2P, more often these programs promote violations of copyright laws 
through exchange and distribution of music, videos, and games. 

In addition, public P2P is prohibited in VA because P2P programs may include viruses and 
"spyware". Without your knowledge or permission, spyware programs track and send 
information about you and your computer to thieves and hackers. This exposes you, your 
coworkers, veterans, and their families to the possibility of identity theft and theft of credit 
card, medical, and other personal or financial information. Transferring files using P2P has 
a very significant impact on VA's wide area network because it slows down or delays 
transmission of legitimate work. 

VA Memorandum "Prohibition on the Use of Public Peer-To-Peer File Sharing Programs" 
establishes policies that forbid loading, installing, or using public peer to peer programs. 
This memorandum and associated policies are available at the Office of Cyber and 
Information Security web portal at http://vaww.ocis.va.gov. 

Some common public P2P programs are KaZaA, Freewire, Grokster, and Morpheus. A 
complete list is available at the Office of Cyber and Information Security web portal at 
http://vaww.ocis.va.gov. 

Use of VA computing resources for public peer-to- peer file sharing violates VA Directive 
6001 "Limited Personal Use of Office Equipment". Don't be a victim. Practice safe 
computing. Contact your information security officer if you think your computer may have 
P2P software or spyware. 
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Worms and Trojan Horses 



Page 3 of 4 



Improvements in technology have permitted VA to institute an enterprise-wide anti-virus 
defense program. Often, anti-virus software is automatically installed and updated. 
Nonetheless, new viruses are an everyday occurrence, and anti-virus software offers no 
protection from newly developed, unknown viruses. Viruses can be spread from inside as 
well as from outside VA. Learn how to tell if the anti-virus programs on your work and home 
computers are running and current. 

Worms and Trojan Horses is software specifically designed to damage, corrupt, 
and disrupt a computer or network system is collectively known as malicious 
software, or "malware." It may be called a virus or worm and be carried by a Trojan 
horse. Here are some basic definitions for types of malware and how they impact 
your system. 

A virus is a software program loaded onto your computer and executed without 
your knowledge. 

One type of virus is called a worm. Worms can replicate themselves. A simple virus that can 
make a copy of itself over and over again is relatively easy to produce. A worm can be 
dangerous because it quickly uses all the available memory of your system and bring it to a 
halt. Viruses capable of transmitting themselves across the network and bypassing VA 
protections are even more dangerous because they infect system after system within the 
VA. 




Another type of virus is called a "Trojan Horse." The term Trojan Horse 
comes from a story in Homer's Iliad, in which ancient Greeks give a 
giant wooden horse to their foes, the Trojans, as a peace offering. After 
the Trojans drag the horse inside their city walls, Greek soldiers sneak 
out of the horse's hollow belly and open the city gates, allowing their 
compatriots to pour in, capture and destroy the city of Troy. As the 
name implies, these destructive programs masquerade as benign 
applications. Trojan Horses do not replicate themselves but they can be 
just as destructive. Their mission is to carry destructive viruses and 
introduce them into your computer or network. One of the most 
insidious types of Trojan Horse programs is one that claims to rid your 
computer of viruses but instead introduces viruses onto your computer. 



Viruses can be contracted through a variety of access 
points on your computer, from a software diskette, a CD- 
ROM, DVD, removable storage medium (zip drives, etc.) 
or e-mail. 

Malicious e-mail hoaxes are not viruses, but they are also 
potentially dangerous. In most cases, the sender asks you 
to forward a warning message "to everyone you know." 
The hoax may request the recipient to take corrective 
action, which instead, disables your system. A good 
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example of an e-mail hoax is one that has a subject line: "Delete this file immediately." The 
message provides instructions on how to locate a critical computer system file and delete it. 
Even seemingly well-intentioned messages, when forwarded by thousands of recipients to 
thousands more recipients are bad because they slow down the entire VA network. In turn, 
this delays our important work of serving America's veterans. 

Symptoms 

If your computer has any of these symptoms, there may be a problem. 
Your computer: 



reacts slower than usual. 

stops running for no apparent reason. 

fails to boot. 

seems to be missing important files. 

prevents you from saving your work. 





Virus defense for work and home 

In VA, all computers are required to have virus protection software. To be effective, the 
virus protection software must be kept up to date. New updates are usually issued every 
week. Contact your ISO or information technology staff if your VA 
computer is not up to date. While many sites automatically update 
virus protection software on networked computers, remember that 
non-networked computers, particularly VA issued laptops, will not 
receive automatic updates to virus protection software. If your 
computer is not networked it is particularly important that you 
assure that the virus protection software is regularly updated. 

• Delete e-mail messages with unusual subject lines, for example, "Open this 
immediately." 

• Never stop or disable your anti-virus program. 

• Always allow an anti-virus program to perform its routines without 
interruption. 

• Back up your files on a regular schedule. 

• Have your virus protection software set to scan your e-mails and 
attachments. 

• Be cautious and sensitive to attachments that have file extensions that 
execute system commands or applications. For example: .exe, .vbs, .js, .jse, 
.wsf, .vbe and .wsh. 

• Unless you can verify, do not delete any system files based on a request 
made on e-mail. 

To learn more about computer viruses and your role in virus defense, talk to your 
Information Security Officer (ISO). 
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Risk Awareness Page 4 of 4 

As software applications become more feature rich and offer greater integration, the 
potential harm caused by virus code can be disastrous. The integration permits a blending 
of threats and can create a domino effect between each application, which can make tracing 
and preventing virus code very difficult. Virus code effectively puts part or the whole of your 
system beyond your control in ways that can be obvious or totally transparent to you. If you 
open an attachment, especially, if it appears to do nothing, you should be aware that 
something has possibly started which will be use your computer's resources and may store 
information that can compromise you in some way later. As virus code becomes more 
sophisticated, so must you become more aware of the expected results of each action you 
carry out and the exceptions that can occur? Virus writers are very aware of what you see 
on a day-to-day basis and will attempt to make their viruses look exactly like the 
applications you use. In this type of environment, it is essential that you are diligent and 
completely aware of what you know you have to do within each application and become 
highly critical any time deviations from what you expect are requested. 
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I ncidents 



Page 1 of 1 



Take a few moments to consider how important VA's computers are in conducting our 
business. Almost everything we do depends on our computers. Unfortunately, the same 

computers that help us serve veterans can 
also be used for theft and fraud. Electronic 
viruses can attack our computers. They can 
be stolen and vandalized. They can be used 
to distribute sensitive information to those 
not authorized to receive it. All these are 
examples of computer- related incidents. It 
is important to let your supervisor and 
Information Security Officer (ISO) know 
when you witness such incidents. Your ISO 
will contact the VA Security Operations 
Center (SOC) (VA SOC). Reporting cyber 
security incidents helps VA to reduce the 
negative impact of these events and to 
improve VA's information processing ability. 




The VA SOC was established to fulfill VA's need to ensure that computer security incidents 
are detected, reported and corrected as quickly as possible, and with minimal impact. VA 
SOCs primary responsibilities are to: 

• Serve as a central clearinghouse for all reported incidents, security alerts, and 
notifications; 

• Ensure additional SOC resources for all VA incidents as needed; 

• Coordinate effective notification of and response to all reported incidents; 

• Notify proper officials in each organization of reported incidents. 

I ncident Do's and Don'ts 



When you think a computer security incident 
may have occurred, you should 

• Gather details of the incident so you 
can communicate specific information 
to your ISO. 

• Collect the date, time, location, and 
involved computer systems. 

Describe what you believe happened. 

Copy any error messages displayed on your computer screen. 

Copy any involved web addresses, server names, or IP addresses. 




Time may be of the essence. Don't wait to call your ISO. 

E-mail may not be the best way to report the incident. You may need to contact your ISO 
by phone or in person. 






Limit discussion of the incident to only those with a specific need to know. 
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Do not discuss the incident with the media (radio, TV, newspapers) or anyone outside of 
your facility without first consulting your ISO and facility management. 

To report a cyber security problem, your primary point of contact is your VA information 
security officer. 

Risk Awareness 

Most successful security threats involve carrying out very simple routine tasks such as 
copying, saving, modifying or deleting files. Some of the most complicated incidents 
perpetrated have been based on combinations of these elements. We have become 
accustomed to making quick decisions about such actions and under the pressure of heavy 
workloads we may be tempted to let down our guard in order to get the job done. Hackers 
rely on these conditions by combining messages and requests that look normal to users. 
The key to effective incident prevention lies in your ability to establish the context of the 
request and to clearly establish where you are within the task you are conducting at the 
time. This will ensure you know whether it is appropriate to accept the modification of a 
computer setting or that a file should be deleted. 
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VA Cyber Security: Part of I nfrastructure Protection 



Page 1 of 1 




As a VA employee, you must be aware that the Department's 
information systems are part of America's strategic infrastructure. We 
are expected to maintain our ability to provide veteran services even in 
times of national tension. VA's information systems not only enable us 
to provide efficient services to America's veterans, they also enable VA 
to work with other agencies, including the Departments of Defense 
(DoD), Health and Human Services (HHS), and Homeland Security. In 
addition to our primary mission of serving veterans, VA has a role in 
responding to a variety of regional 
and national emergencies. 
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The FBI has warned all Federal agencies that their 
systems and the information in those systems are 
potential targets for an ever-increasing number of cyber 
attacks. Now more than ever, the VA's systems and the 
information they contain must be available to serve our 
nation and its veterans. Please be alert to anything that 
might compromise VA's cyber security. Immediately 
report any incidents to your Information Security Officer. 
If they are unavailable, contact VA SOC at 1-877-279- 
8856. 



Contact your facility Information Security Officer (ISO) if 

you have questions about cyber security issues. For General information about VA's Cyber 

Security program contact your local VA Information Security Officer. 

Risk Awareness 

The nature of work at the VA and its close involvement with the Strategic Infrastructure 
program may increase the likelihood and diversity of attacks on its information and 
systems. This heightened risk makes it more important for VA staff to know their jobs better 
to correctly decide appropriate procedures and courses of action to take in the event of 
unusual activity. 
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Practice Exam 3 Page 1 of 1 

Lesson 7 - Viruses 

Software specifically designed to damage, corrupt, and disrupt a computer or network 
system is collectively known as: 

a. Computer destroyer 

b. Malicious software, or "malware" 

c. J unk mail 

d. Spam 

Lesson 8 - I ncidents 

Hackers require users to carry out complex instructions in order to carry out attacks. 

a. True 

b. False 

When you are aware that a computer security incident has occurred, you should: 

a. Contact your friend down the hall and ask what to do. 

b. Gather details of the incident so you can communicate specific information to your 
ISO. 

c. Contact your local media (TV, Radio, etc). 

When you are aware that a computer security incident has occurred, you should: 

a. Contact your friend down the hall and ask what to do. 

b. Gather details of the incident so you can communicate specific information to your 
ISO. 

c. Contact your local media (TV, Radio, etc). 

Lesson 9 - I nfrastructure Protection 

VA information systems enable the Department to work with other agencies, including 
Department of Defense (DoD), Health and Human Services (HHS), and Homeland Security 
during times of national emergency. 

a. True 

b. False 
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Social Engineering 
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Have you heard of "social engineering?" Social engineering is an 
unauthorized person's manipulation of your trust to get you to give up 
information or resources that you should not give out. This is an 
important information security issue! 

Make sure when you are asked by someone to provide information or 
allow the use of your computer or accounts (in person, over the phone, 
or electronically), that you are certain of who they are and of their 
authorization to have/use that information or access as part of their 
job. Dishonest "social engineers" look for almost any kind of information to misuse, like 
your password or patient, budget, or employee information. VA employees have a natural 
desire to be helpful and provide useful information. Social Engineers try to take advantage 
of this to misuse resources or information. 





One example of social engineering perpetrated on VA facilities comes in 
the form of a phone call from someone claiming to be from "the phone 
company." The thief says they are testing lines and long distance circuits 
and instructs the employee to dial a special code that gives the caller 
access to FTS long distance service. This scam has resulted in thousands 
of dollars worth of unauthorized calls being made 
at VA expense. 



Unauthorized disclosure of information or granting of resources to 
dishonest social engineers are potentially bigger threats to you and 
VA than most computer hackers. To learn more about social 
engineering and your role in defending against it, contact your 
Information Security Officer (ISO). 

Risk Awareness 




As a result of improvements in system security and more secure processes, hackers 
generally require more information from different sources in order to compromise modern 
systems. This progress in risk mitigations systems and techniques has created a rise in the 
number and sophistication of the social engineering techniques employed by hackers. Social 
engineers will rarely ask for secure or confidential information directly and instead will 
gradually gain your confidence, often asking for nothing the first call in favor of building up 
confidence for a later time. This means that your diligence is becoming critically important 
and, in some cases, constitutes the last line of defense. 
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The citizens of our country expect that as VA employees, we will 
not misuse or abuse the resources provided to us to accomplish 
our mission. As a VA employee, you may have the privilege of 
some "Limited Personal Use" of certain government resources, 
such as computers, e-mail, Internet access, and telephone/fax 
service. This benefit is available only as long as it does not 
interfere with official VA business is performed on the 
employee's non-work time, involves minimal additional expense 
to the Government, and is legal and ethical. Remember that 
your personal use may be limited at any time either by your 
management or by those responsible for the particular 
government resource you want to use. Before using this privilege, you should discuss your 
limits and responsibilities in using it with your supervisor and Information Security Officer 
(ISO). 





Ethics 

"Ethics is about understanding how your actions affect other people, knowing what is right 
and wrong, and taking personal responsibility for your actions..." 
- Winn Schwartau 

• Ethics deals with placing a "value" on acts according to whether they are "good" or 
"bad." Every society has its rules about whether certain acts are ethical or not. The 
same thing is true when using a VA computer system to access confidential 
information. 
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Misuse or I nappropriate Use 

Examples of Misuse or Inappropriate Use include the following: 
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Any personal use that could cause congestion, delay, or disruption of service 
to any Government system or equipment. For example, continuous data 
streams, video, sound, or other large file attachments that degrade 
performance of VA's network. 

Using VA systems as a staging ground or platform to gain unauthorized 
access to other systems. 

The creation, copying, transmission, or retransmission of chain letters or 
other unauthorized mass mailings regardless of the subject matter. 
Activities that are illegal, inappropriate, or 
offensive to fellow employees or the public. 
Such activities include hate speech, or 
material that ridicules others on the basis of 
race, creed, religion, color, sex, disability, 
national origin, or sexual orientation. 
The creation, downloading, viewing, storage, 
copying, or transmission of sexually explicit 
or sexually oriented materials. 
The creation, downloading, viewing, storage, 
copying, or transmission of materials related 
to gambling, illegal weapons, terrorist 
activities, and any illegal activities or 
activities otherwise prohibited. 

Use for commercial purposes or in support of "for profit" activities or in 
support of other outside employment or business activity (e.g. consulting for 
pay, sales or administration of business transactions, sale of goods or 
services). 

Engaging in any outside fund-raising activity, endorsing any product or 
service, participating in any lobbying activity, or engaging in any prohibited 
partisan political activity. 

Posting agency information to external newsgroups, bulletin boards, or other 
public forums without authority. This includes any use that could create the 
perception that the communication was made in one's official capacity as a VA 
employee (unless appropriate approval has been obtained), or uses that are 
at odds with the agency's mission or positions. 

Any use that could generate more than minimal additional expense to the 
government. 

The unauthorized acquisition, use, reproduction, transmission, or distribution 
of any controlled information including computer software and data, that 
includes privacy information; copyrighted, trademarked, or material with 
other intellectual property rights beyond fair use; proprietary data; or export- 
controlled software or data. 



Be sure to discuss your limits and responsibilities with your supervisor and Information 
Security Officer (ISO). 

Risk Awareness 
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Most business use of computer systems is well defined and it is generally clear to the user 
when they go beyond the intended function of each application. Commercial applications are 
designed with access control and functional control in mind and as a result are less prone to 
accidental misuse. This distinction is less clear with non-business applications, particularly 
internet browser-based applications. Not only are these applications only generally 
protected, most web sites advertise using pop-ups, some of which masquerade as system 
messages, which, if run, can install unwanted applications, phone dialers and viruses on the 
computer. If business systems are used for personal purposes it may increase the risk these 
systems have to bear. Even though every reasonable precaution is taken to protect users 
and systems in both usage modes, it is always better to keep personal use of systems to a 
minimum, thus reducing the likelihood of any vulnerability being exploited and resulting in 
the system being compromised. 
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Lesson 10 - Social Engineering 

Which is not an example of how a social engineer may gain your trust to get unauthorized 
information: 

a. You receive an e-mail message from your new computer service technician asking for 
your username and password. 

b. You receive a phone call from the telephone company technician who needs your 
username and password in order to complete their testing of the phone lines in your 
facility. 

c. You receive a letter from the friend of a veteran asking for important medical 
information. 

d. You receive a call telling you that they want to break into your computer system. 

Social Engineering is an unauthorized person's manipulation of your trust to get you to give 
up information or resources that you should not give out. 

a. True 

b. False 

Lesson 11 - Authorized Use 

The citizens of our country expect that as VA employees, we will not misuse or abuse the 
resources provided to us to accomplish our mission. 

a. True 

b. False 

As a VA employee, you may have the privilege of some V'Unlimited Personal Use\" of certain 
government resources, such as computers, e-mail, Internet access, and telephone/fax 
service. 

a. True 

b. False 

"Ethics is about understanding how your actions affect other people, knowing what is right 
and wrong, and taking personal responsibility for your actions..." 

a. True 

b. False 
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ACO) 
ay, March 3T; 2006 9:08 AM 



Subject; Email!rK>: eescerthtm 




Employee Education System 

Certificate of Completion 

This is t pcertifvJhal--^ 

has completed a course entitled 
VA Cyber Security Awareness - FY06 



The Employee Education System has presented this 
Continuing Education Activity for 1 contact hour(s) 



The Employee Education System maintains responsibility for the program. 

This On-Line Course was completed on Mar 31, 2006 




Joy W. Hunter 
Dean, VA Learning University 



5/18/2006 
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